From: Ronan Pigott Date: Sun, 25 Feb 2024 07:23:32 +0000 (-0700) Subject: resolved: reduce the maximum nsec3 iterations to 100 X-Git-Tag: archive/raspbian/247.3-7+rpi1+deb11u7^2~9 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6a6c6b2e6addc47c8c7bc68d28e4a4c9be099712;p=systemd.git resolved: reduce the maximum nsec3 iterations to 100 According to RFC9267, the 2500 value is not helpful, and in fact it can be harmful to permit a large number of iterations. Combined with limits on the number of signature validations, I expect this will mitigate the impact of maliciously crafted domains designed to cause excessive cryptographic work. Gbp-Pq: Name 0003-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch --- diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 11449a84..c04cec16 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -18,8 +18,9 @@ /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */ #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE) -/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */ -#define NSEC3_ITERATIONS_MAX 2500 +/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but + * RFC9276 § 3.2 says that we should reduce the acceptable iteration count */ +#define NSEC3_ITERATIONS_MAX 100 /* * The DNSSEC Chain of trust: